Debian Bug report logs -
#827744
bzip2: CVE-2016-3189: heap use after free in bzip2recover
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 20 Jun 2016 12:21:09 UTC
Severity: grave
Tags: patch, security, upstream
Found in version bzip2/1.0.6-4
Fixed in version bzip2/1.0.6-8.1
Done: Ben Hutchings <ben@decadent.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#827744; Package src:bzip2.
(Mon, 20 Jun 2016 12:21:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Mon, 20 Jun 2016 12:21:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bzip2
Version: 1.0.6-4
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for bzip2.
CVE-2016-3189[0]:
heap use after free in bzip2recover
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3189
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1319648
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 21 Sep 2016 12:39:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Thu, 22 Sep 2016 13:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#827744; Package src:bzip2.
(Thu, 08 Dec 2016 08:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dr. Tobias Quathamer" <toddy@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 08 Dec 2016 08:45:05 GMT) (full text, mbox, link).
Message #14 received at 827744@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Anibal and Santiago,
what's the status of this bug? It's RC and marked as "pending" for a
couple of months now, are you planning an upload soon?
Regards,
Tobias
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#827744; Package src:bzip2.
(Thu, 08 Dec 2016 09:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Ruano Rincón <santiago@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 08 Dec 2016 09:21:03 GMT) (full text, mbox, link).
Message #19 received at 827744@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
El 08/12/16 a las 09:42, Dr. Tobias Quathamer escribió:
> Hi Anibal and Santiago,
>
> what's the status of this bug? It's RC and marked as "pending" for a couple
> of months now, are you planning an upload soon?
>
> Regards,
> Tobias
>
Hi Tobias, thanks for pinging.
There is a trivial patch available, but I haven't been able to confirm
it actually fixes the issue. AFAICS, no other distro has applied it, and
I am waiting ACK from Julian (upstream).
Anibal, do you want to upload or we should remove the pending tag?
Cheers,
-- Santiago
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility.
(Sun, 29 Jan 2017 19:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Jan 2017 19:36:06 GMT) (full text, mbox, link).
Message #24 received at 827744-close@bugs.debian.org (full text, mbox, reply):
Source: bzip2
Source-Version: 1.0.6-8.1
We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 827744@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated bzip2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Jan 2017 18:30:31 +0000
Source: bzip2
Binary: libbz2-1.0 libbz2-dev bzip2 bzip2-doc
Architecture: source
Version: 1.0.6-8.1
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
bzip2 - high-quality block-sorting file compressor - utilities
bzip2-doc - high-quality block-sorting file compressor - documentation
libbz2-1.0 - high-quality block-sorting file compressor library - runtime
libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 827744
Changes:
bzip2 (1.0.6-8.1) unstable; urgency=medium
.
* Non-maintainer upload.
* bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
Checksums-Sha1:
05e3ee8daefc87651b09c41c9f454790df0ac38b 2082 bzip2_1.0.6-8.1.dsc
d179574585850a3833300f8bee56249612bf5ca4 59875 bzip2_1.0.6-8.1.debian.tar.bz2
Checksums-Sha256:
d80deed11a1419ad090cb486dd2335850fd8719b809c32002dea04b485f55dbd 2082 bzip2_1.0.6-8.1.dsc
bdbe7bf29e014e44d79bb7c733fe63cae990ab50882a4a07867cf69c61ad72b7 59875 bzip2_1.0.6-8.1.debian.tar.bz2
Files:
7275cc6d76481ef19daa8d2e51e5456b 2082 utils important bzip2_1.0.6-8.1.dsc
b3bf7c9a957fa3a71661e45a58ab7eb0 59875 utils important bzip2_1.0.6-8.1.debian.tar.bz2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAliOPqEACgkQ57/I7JWG
EQlnZQ//f5KWbjBCbvWGygFNSaIFaR+ABnrHPz4BEXJ7CnH7vNY2Er8bSEX2kWFG
zovVpc9nOFQpF/Xr85FZMwrr29Fei9D3GuRh8SQGpNz7k2294lXg0X/hSlNsMA/q
bVdNWlBKmtlirJiEwGNWSPzll9C/MQN4eyWAYIaQVyuQb3Pl2O7B3o4dJrpcRSdb
dsN4qHrRx768adYAbOopOnV7uuxb0XZmNb1kIqj0WVQTzHXKBFYMTf+yVoBlpyZn
0Wtt35/Q1IwfoMQ+lX1f2x+YXa9ZZS80dLMOkSMjBy3utroIZ+vTHE3+v1hp4i18
xMRl77RxOjNEfBSJ3io1204QuFdf7WAxGmXG8L+/CmghyEeZXf+cvLCtLa4euD71
9SLJsTzaT349YKZSBS4pHr5jtYuw6D6vPwX1ziKlazMulrQJSTQ/M0p6kwX452H7
esOjvF66xYiybxORZUlWckoClZzhhLjPL3dIFarAd6tIGQLdqBtLXWJ6DdEh5zQ3
oc8+z8+K5uYGwR2DOOOqgU3Yip0HahP1QiPIdDJggws1pg07LnyW3fT+N/h+cZDR
VwK3eV2arQN8MTS6fGmAmHUwyxwiomwFBITYonf5nRr5BQCUYVWkcNh7SAJUnes2
EpqwI3u9S41BM/gWnEllNpuGACgXOC1t52btrmNPwwg1edNJ8p4=
=6tJ8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:40:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon